Assurance

["Roy, Nicholas S" <>]

> I continue to be surprised/concerned that this is not explicitly addressed 
> in the Identity Assurance Profile.

Now that you mention it, yeah, that does seem like a pretty big omission.  
Maybe that's assumed to be part of secure IdPO operations, but it seems like 
it's worth explicitly calling out.  I don't know about use of keys in the 
other FICAM profiles, but at least for the SAML2 profile, I'd think this 
should be explicitly called out.

Nick

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Scavo
Sent: Wednesday, July 18, 2012 2:19 PM
To: 

Subject: Re: [Assurance] Information Security Guide to InCommon IAP Cross 
Reference



> I don't see anything that would apply to protecting private keys held
> by the IdP.

Thanks for checking.

> Are you specifically thinking about the keys associated
> with exchanging information with the IdP, or do you mean something
> like key escrow for private keys associated with personal
> certificates?

The former. Proper handling of the IdP's private signing key 
(https://spaces.internet2.edu/x/E43NAQ) is critically important in a 
federated scenario. I continue to be surprised/concerned that this is not 
explicitly addressed in the Identity Assurance Profile.

Tom